saml: Add option to restrict subdomain access based on SAML attributes.

Adds the ability to set a SAML attribute which contains a
list of subdomains the user is allowed to access. This allows a Zulip
server with multiple organizations to filter using SAML attributes
which organization each user can access.

Cleaned up and adapted by Mateusz Mandera to fit our conventions and
needs more.

Co-authored-by: Mateusz Mandera <mateusz.mandera@zulip.com>

docs/production/authentication-methods.md

@@ -162,6 +162,34 @@ authenticate the user to when they visit your SSO URL from the IdP.
 ```eval_rst
 .. _ldap:
 ```
+
+### Restricting access to specific organizations
+
+If you're hosting multiple Zulip organizations, you can restrict which
+organizations can use a given IdP by setting `limit_to_subdomains`.
+For example, `limit_to_subdomains = ["", "engineering"]` would
+restrict an IdP the root domain and the `engineering` subdomain.
+
+You can achieve the same goal with a SAML attribute; just declare
+which attribute using `attr_org_membership` in the IdP configuration.
+For the root subdomain, `www` in the list will work, or any other of
+`settings.ROOT_SUBDOMAIN_ALIASES`.
+
+For example, with `attr_org_membership` set to `member`, a user with
+the following attribute in their `AttributeStatement` will have access
+to the root and `engineering` subdomains:
+
+```
+<saml2:Attribute Name="member" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
+  <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
+    www
+  </saml2:AttributeValue>
+  <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
+    engineering
+  </saml2:AttributeValue>
+</saml2:Attribute>
+```
+
 ## LDAP (including Active Directory)
 
 Zulip supports retrieving information about users via LDAP, and